managed trusted internet protocol service (mtips ... › asset › gsaeis › redacted ›...

Enterprise Infrastructure Solutions

Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan

SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003

i

SENSITIVE BUT UNCLASSIFIED

November 4, 2016

Data contained on this page is subject to the restrictions on the title page of this proposal.

Managed Trusted Internet Protocol Service (MTIPS)

Enterprise Infrastructure Solutions (EIS) Risk

Management Framework Plan (RMFP)

Network Services and Network Management

Systems in accordance with (IAW) C.2.8.4.5

(NIST FIPS 199 High-Impact Baseline)

Version 1.0

November 4, 2016

Prepared by

Qwest Government Services, Inc. dba CenturyLink QGS 4250 North Fairfax Drive

Arlington, VA 22203




i


November 4, 2016


TABLE OF CONTENTS

Revision History .............................................................................................................. iii

Step 1—Define the Security System ............................................................................... 1 Task 1-1—Security Categorization ....................................................................... 1

Information System Owner ........................................................................ 3 Task 1-2—Information System Description .......................................................... 4

System Environment .................................................................................. 7 Task 1-3—Information System Registration ....................................................... 18

Step 2—Select Security Controls .................................................................................. 19 Task 2-1—Common Control Identification .......................................................... 19

Overall CenturyLink Infrastructure ........................................................... 22 Task 2-2—Security Control Selection ................................................................. 31

Task 2-3—Monitoring Strategy ........................................................................... 31 Access Monitoring ................................................................................... 32

File Integrity and Configuration Monitoring .............................................. 32 Network Monitoring .................................................................................. 33

Automated Inventory Monitoring .............................................................. 33 Real-Time Alerts ...................................................................................... 33 Security Vulnerability Scanning ............................................................... 34

Security Penetration Testing (C.2.8.4.5.4 (20, 22)) .................................. 34 Task 2-4—Security Plan Approval ...................................................................... 35

Step 3—Implement Security Controls ........................................................................... 35 Task 3-1—Security Control Implementation ....................................................... 35

Task 3-2—Security Control Documentation ....................................................... 37

Step 4—Assess Security Controls ................................................................................ 37

Task 4-1—Assessment Preparation ................................................................... 37 Task 4-2—Security Control Assessment ............................................................ 37 Task 4-3—Security Assessment Report (C.2.8.4.5.4 (19)) ................................. 38 Task 4-4—Remediation Actions ......................................................................... 38

Step 5—Authorize Information System ......................................................................... 38

Task 5-1—Plan of Action and Milestones ........................................................... 38 Task 5-2—Security Authorization Package (C.2.8.4.5.3, C.2.8.4.5.4

(1 through 27)) ........................................................................................ 38 Task 5-3—Risk Determination ............................................................................ 41 Task 5-4—Risk Acceptance ............................................................................... 42

Step 6—Monitor Security Controls ................................................................................ 42 Task 6-1—Information System and Environment Changes ................................ 42

Task 6-2—Ongoing Security Control Assessments ............................................ 43 Task 6-3—Ongoing Remediation Actions (C.2.8.4.5.4 (24)) .............................. 44 Task 6-4—Key Updates ..................................................................................... 44

Task 6-5—Security Status Reporting ................................................................. 44 Task 6-6—Ongoing Risk Determination and Acceptance ................................... 44 Task 6-7—Information System Removal and Decommissioning ........................ 45




ii


November 4, 2016


LIST OF FIGURES

Figure 1. MTIPS 2.0 Standard Portal A&A Boundary ...................................................... 7

Figure 2. MTIPS 2.0 Augment Portal A&A Boundary ...................................................... 8

Figure 3. MTIPS 2.0 Standard Portal Traffic Flow. .......................................................... 9

Figure 4. MTIPS 2.0 Augment Portal Traffic Flow ......................................................... 10

Figure 5. SOC Site 1 Logical Detail (San Diego) ........................................................... 11

Figure 6. SOC Site 2 Logical Detail (Columbia, MD) ..................................................... 12

Figure 7. Site Physical Detail San Diego ....................................................................... 13

Figure 8. Site Physical Detail Columbia, MD ................................................................. 14

LIST OF TABLES

Table 1. MTIPS Information Type Categorization ........................................................... 2




iii


November 4, 2016


REVISION HISTORY

Revision Revision Description Authors Approval Date

1.0 Original Release Robert Ellis Peggy Macdonald 02/22/2016




1


November 4, 2016


STEP 1—DEFINE THE SECURITY SYSTEM

TASK 1-1—SECURITY CATEGORIZATION

The General Services Administration (GSA) assigned an information sensitivity

category for Managed Trusted Internet Protocol Service (MTIPS) based on the federal

government requirement and Federal Information Processing Standard (FIPS) 199.

FIPS 199 requires MTIPS security to safeguard data and information from unauthorized

disclosure, protect data from unauthorized modification, and ensure that services are

available to meet mission requirements.

Protection ratings are determined for each of these three categories:

Confidentiality: MTIPS contains information that requires protection from

unauthorized disclosure

Integrity: MTIPS contains information that must be protected from unauthorized,

unanticipated, or unintentional modification

Availability: MTIPS contains information or provides services that must be

available on a timely basis to meet mission requirements, or to avoid substantial

losses

MTIPS is rated as one of the following:

High: the loss of confidentiality, integrity, or availability could expect to have a

severe or catastrophic adverse effect on organization operations, organizational

assets, or individuals

Moderate: the loss of confidentiality, integrity, or availability could expect to have

a serious adverse effect on organizational operations, organizational assets, or

individuals

Low: the loss of confidentiality, integrity, or availability could expect to have

limited adverse effect on organizational operations, organizational assets, or

individuals

To determine the information types that MTIPS will potentially handle, GSA used

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60




2


November 4, 2016


Volume 1 Revision 1, Guide for Mapping Types of Information and Information Systems

to Security Categories, and Volume 2 Revision 1, Appendices to Guide for Mapping

Types of Information and Information Systems to Security Categories. Following the

Office of Management and Budget’s (OMB) Federal Enterprise Architecture (FEA)

Business Reference Model (BRM), GSA determined that the MTIPS business areas will

deliver services and manage resources, serving in a supportive role to an agency’s

mission but not directly processing any agency mission-based information types.

The information types that MTIPS will potentially handle with associated provisional

impact levels, due to loss of any of the three security objectives (confidentiality, integrity,

and availability), are shown in Table 1. The high watermark method was used to

determine the overall information categorization.

Table 1. MTIPS Information Type Categorization

Information Type Confidentiality Integrity Availability

Contingency planning Low Low High

Continuity of operations Low Low High

Service recovery Low Low High

Goods acquisition Low Moderate Low

Inventory control Low Moderate Low

Logistics management Low Moderate Low

Services acquisition Moderate Moderate Low

System development Moderate Moderate Low

Life cycle/change management Low Moderate Moderate

System maintenance High Moderate Moderate

Information technology (IT) infrastructure maintenance High High High

MTIPS security Moderate Moderate High

Record retention Moderate High Low

Information management Moderate Moderate Moderate

System and network monitoring High High High

Information sharing Moderate Moderate Moderate

Overall information categorization High High High

As part of the MTIPS system development life cycle (SDLC) and security

assessment and authorization (A&A) processes, CenturyLink periodically reviews the

list of information types to add and remove data types, as necessary, and update the

impact to the above security objectives.




3


November 4, 2016


In summary, the MTIPS overall sensitivity rating is high based on the following:

Requirements for confidentiality, integrity, and availability protections

Related level of sensitivity

Highest magnitude of harm directly resulting from loss, misuse, modification to,

or unauthorized access to information on MTIPS

Information System Owner

GSA

Name: Kevin Gallo

Title: GSA System Owner

Agency: GSA

Address: 1800 F Street NW, Washington, DC 20450

Email Address: [email protected]

Phone Number: 703-306-6616

CenturyLink

Name: Tim Meehan

Title: Vice President

Agency: Qwest Government Services, Inc. dba CenturyLink QGS

Address: 4250 N Fairfax Drive, Arlington, VA 22203






7


November 4, 2016


System Environment

Figure 1. MTIPS 2.0 Standard Portal A&A Boundary




8


November 4, 2016


Figure 2. MTIPS 2.0 Augment Portal A&A Boundary




9


November 4, 2016


Figure 3. MTIPS 2.0 Standard Portal Traffic Flow.




10


November 4, 2016


Figure 4. MTIPS 2.0 Augment Portal Traffic Flow




18


November 4, 2016


TASK 1-3—INFORMATION SYSTEM REGISTRATION

The registration process will begin with the definition of the A&A (or authorization)

boundary in the Security Assessment Boundary and Scope Document (BSD), as

referenced in RFP Section C.2.8.4.5.4 (2). This section identifies the information system

and subsystems in the system inventory and establishes a relationship between the

information system and the parent or governing organization that owns, manages,

and/or controls the system.

The information system owner has primary responsibility for registering each EIS

information system that supports network services and network management systems.

Primary Responsibility: CenturyLink Information System Owner

Name: Tim Meehan

Title: Vice President


Address: 4250 N Fairfax Drive, Arlington, VA 22203



Supporting Roles: CenturyLink Information Systems Security Officer (ISSO)

Name: Robert Ellis

Title: Information System Security Officer (ISSO)


Address: 931 14th Street, Suite 1000B, Denver, CO 80202



GSA Information System Security Manager (ISSM)




19


November 4, 2016


Name: David Trzcinski

Title: Information Systems Security Manager

Agency: GSA

Address: 1800 F Street, NW, Washington, DC 20405



GSA ISSO

Name: William Olson

Title: Systems and Security Program Manager

Agency: GSA

Address: 1800 F Street, NW, Washington, DC 20405



GSA personnel have performed the security categorization of the MTIPS information

systems, which are determined to be FIPS 199 high impact.

STEP 2—SELECT SECURITY CONTROLS

TASK 2-1—COMMON CONTROL IDENTIFICATION

Common controls inherited within the MTIPS system authorization boundary will

include

Physical security controls

Environmental controls

Centralized authentication mechanisms

– SecurID

– Active directory

Continuous monitoring systems




39


November 4, 2016


800-53 Control Tailoring Workbook (CTW) (C.2.8.4.5.4 (4))

800-53 Control Summary Table (C.2.8.4.5.4 (5))

System Inventory (hardware, software, and related information) (C.2.8.4.5.4 (7))

Security Incident Response Plan (IRP) (C.2.8.4.5.4 (15))

Security Incident Response Test Plan

Security Incident Response Test Report (C.2.8.4.5.4 (16))

Supply Chain Risk Management (SCRM) Plan ((C.2.8.4.5.4 (17))

Contingency Plan (CP), including the Disaster Recovery Plan (DRP) and

Business Impact Assessment (BIA) (C.2.8.4.5.4 (8))

Contingency Plan Test Plan (CPTP) (C.2.8.4.5.4 (9))

Contingency Plan Test Report (CPTPR) (C.2.8.4.5.4 (10))

Interconnection Security Agreements (ISA) (C.2.8.4.5.4 (3))

Configuration Management Plan (CMP) (C.2.8.4.5.4 (12))

Systems Baseline Configuration Standard Document (C.2.8.4.5.4 (13))

Audit Monitoring Program

Continuous Monitoring Program (security risk mitigation) (C.2.8.4.5.4 (18))

– Access monitoring

– Configuration Monitoring

– Vulnerability Monitoring (Scanning)

– Third-Party Penetration Test Report

– Automated reporting to customer (if customer is prepared for it)

Continuous Monitoring Plan

e-Authentication documents

– e-Authentication Executive Summary

– e-Authentication Detail Report

– e-Authentication Risk and Requirements Assessment Tool (database file)

Independent External Penetration Test and Report (C.2.8.4.5.4 (20))




40


November 4, 2016


User Access Authorization and Management Process

Personnel Security Procedures

Suitability Report (employee background investigation report)

Security Test and Evaluation Plan (ST&E Plan)

Security Test and Evaluation Report (ST&E Report) or Security Assessment

Report (SAR) (C.2.8.4.5.4 (6))

Annual FISMA Assessment (conducted per GSA CIO IT Security Procedural

Guide 04-26, “FISMA Implementation.”) (C.2.8.4.5.4 (25))

In addition to the items above that are already included in our security A&A package

or as deliverables, CenturyLink will include the following in its EIS MTIPS security A&A

package or provide as deliverables:

Code Review Report (if applicable) (C.2.8.4.5.4 (21))

Monthly Reports on SCAP Common Configuration Enumerations (CCE) (NIST

SP 800-53 R4: CM-6) (C.2.8.4.5.4 (26))

Monthly Reports on SCAP Common Platform Enumeration (CPE) (NIST SP 800-53

R4: CM-8) (C.2.8.4.5.4 (26))

Monthly Reports on SCAP Common Vulnerabilities and Exposures (CVE) (NIST

SP 800-53 R4: CM-8) (C.2.8.4.5.4 (26))

Independent Internal Penetration Test and Report (C.2.8.4.5.4 (20))

Document Management (C.2.8.4.5.4 (27))

CenturyLink develops and maintains all current policy and procedure documents, as

outlined in the specified NIST documents and applicable GSA IT Security Procedural

Guides. For EIS, they will be verified and reviewed during the initial security

assessment, and updates will be provided to the GSA Contracting Officer's

Representative (COR)/ISSO/ISSM biennially to include the following.

Access Control Policy and Procedures (NIST SP 800-53 R4: AC-1)

Security Awareness and Training Policy and Procedures (NIST SP 800-53 R4:

AT-1)




45


November 4, 2016


TASK 6-7—INFORMATION SYSTEM REMOVAL AND DECOMMISSIONING

CenturyLink follows a system-removal and decommissioning policy and procedures

that ensure all data are securely erased or destroyed before storage elements leave

CenturyLink premises.

managed trusted internet protocol service (mtips ... › asset › gsaeis › redacted ›...

Documents